Adopting a Cyber Attacker’s Point of View to Help Protect Data

Sydney, Australia (27 June 2018) – Today, ISACA and SecurityScorecard announce a joint research paper, “Continuous Assurance Using Data Threat Modeling,” to provide enterprises guidance in adopting an attacker’s point of view to help account for data. With a step-by-step guide to apply application threat modelling principles to data, enterprises can now establish a baseline for monitoring ongoing data risk over time.

Enterprises are challenged to move the process of accounting for data in a structured, systematic way higher on the list of priorities. One option to accomplish this challenge is by applying application threat modeling principles to data (data threat modeling). Application threat modeling provides value by allowing application security specialists to systematically evaluate an application from an attacker’s point of view. By doing this, an analyst can methodically analyse an application to identify and map threats that the application is likely to encounter in post-deployment conditions.

“To support a continuous view of anything, there are two things needed: something to measure and a way to perform that measurement frequently or in an ongoing way,” said Fouad Khalil, Head of Compliance, SecurityScorecard. “By implementing this continuous assurance process, an enterprise can be notified as changes happen that impact its understanding of the threats to their applications and, ultimately, their data.”

The ISACA and SecurityScorecard paper provides 11 key questions to ask to implement continuous assurance related to threat understanding, including these five:

What are the specific indicators the enterprise will use to measure changes to the threat environment?

How will the enterprise account for entities in the supply chain?

What instruments are in place to evaluate control performance at third parties?

Who is responsible for maintaining and monitoring the view that is put together?

What is the amount the enterprise is willing to invest in this?

“Organisations often struggle with data protection that feels out of control—and this guidance helps bring clarity to the chaos,” said Karen Heslop, Director of Content Strategy at ISACA.

“Continuous Assurance Using Data Threat Modeling” is available as a complimentary download. For additional ISACA resources, please visit Knowledge-Center. About ISACA Nearing its 50th year, ISACA® is a global association helping individuals and enterprises achieve the positive potential of technology. Today’s world is powered by technology, and ISACA equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organisations. ISACA leverages the expertise of its 450,000 engaged professionals in information and cybersecurity, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI® Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including 217 chapters worldwide and offices in both the United States and China.

About SecurityScorecard Headquartered in the heart of New York City, SecurityScorecard’s vision is to create a new language for measuring and communicating security risk. The company was founded in late 2013 by Dr. Aleksandr Yampolskiy and Sam Kassoumeh, two former cybersecurity practitioners who had served, respectively, as Chief Information Security Officer and Head of Security and Compliance. With cloud solutions becoming an increasingly integral part of the security technology stack Yampolskiy and Kassoumeh recognised the need to address third- and fourth-party risk as well as better understand the security capabilities of their business partners. Since its founding, the company has grown dramatically and now counts hundreds of leading brands as customers. SecurityScorecard is backed by leading venture capital investors including Sequoia Capital, GV, NGP Capital, Evolution Equity Partners, Boldstart Ventures, AXA Venture Partners among others. For more information, visit SecurityScorecard